Air Canada, San Diego Zoo and easyJet amongst 16 companies exposed credit card data during payments to their mobile websites and apps
Wandera has identified a vulnerability – dubbed CardCrypt – where customers’ personal data is being transmitted unencrypted from mobile devices
SAN FRANCISCO, 9th December 2016: Customers’ credit card information, passport data, purchase data and other Personally Identifiable Information (PII) is being sent unencrypted from smartphones when users are purchasing items from major brands’ mobile websites and apps.
Companies identified include easyJet, Air Canada*, San Diego Zoo, AirAsia, Aer Lingus and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore). Notes to editors – each company has been notified about the vulnerability and a full list is included below the release
Wandera has detected payment information leaking unencrypted from smartphones when users were accessing these companies’ mobile websites and apps during the purchase and upgrade processes, for example when booking a ticket or choosing a seat. The data includes complete credit card details, CVV security code, customer names, full addresses, transaction amounts and contact details. The exact information being leaked varies according to what details the individual company requests in order for the transaction to take place, but in nearly all cases, complete credit card data was detected ‘in the clear’ and in one case even detailed passport information was also revealed.
The 16 companies that have been identified have a combined 500,000 passengers and customers per day.
Dubbed ‘CardCrypt’ by Wandera, the flaw in all of the vulnerable websites and mobile apps is that they have not used a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services. This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.
It is a fundamental requirement of PCI DSS (Payment Card Industry Data Security Standards) to encrypt transmission of cardholder data across open public networks: “Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit”. Reference Requirement 4, Page 46 of the latest PCI DSS v3.1 most recently updated April 2015.
“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera, the company that discovered the data leaks. “It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
In one particular instance that Wandera has identified, a customer of Sistic, the Singapore-based ticket provider, purchased two tickets for Cirque du Soleil using the mobile app. Because he is an employee of a Wandera enterprise customer, Wandera secures his mobile device to protect against data leaks. In doing so, Wandera detected his entire credit card information, full name, address and transaction details being transmitted from the smartphone ‘in the clear’ and unencrypted. The employee was informed and has now cancelled his relevant credit cards. Notes to editors – this user is available for comment
Wandera has reported the issue to each company according to its responsible disclosure process prior to issuing this release. The company’s investigations are still ongoing and involve mobile users of other global brands, but it wanted to ensure users were alerted as soon as possible.
“The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes,” concludes Tuvey. “With lots of people booking journeys to go home for the Christmas holidays, it is worrying how much sensitive data could be put at risk.”